// https://syzkaller.appspot.com/bug?id=1708e7a511059b09d2d4136150d3e67ff9dcf25f
// autogenerated by syzkaller (https://github.com/google/syzkaller)
#define _GNU_SOURCE
#include <endian.h>
#include <fcntl.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/ioctl.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <unistd.h>
static long syz_open_pts(volatile long a0, volatile long a1)
{
int ptyno = 0;
if (ioctl(a0, TIOCGPTN, &ptyno))
return -1;
char buf[128];
sprintf(buf, "/dev/pts/%d", ptyno);
return open(buf, a1, 0);
}
uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff};
int main(void)
{
syscall(__NR_mmap, 0x20000000ul, 0x1000000ul, 3ul, 0x32ul, -1, 0);
intptr_t res = 0;
memcpy((void*)0x20000040, "/dev/ptmx\000", 10);
res = syscall(__NR_openat, 0xffffffffffffff9cul, 0x20000040ul, 6ul, 0ul);
if (res != -1)
r[0] = res;
*(uint32_t*)0x203b9fdc = 0;
*(uint32_t*)0x203b9fe0 = 0;
*(uint32_t*)0x203b9fe4 = 0;
*(uint32_t*)0x203b9fe8 = 0;
*(uint8_t*)0x203b9fec = 0;
memcpy((void*)0x203b9fed, "\000\000\000\000\000\000\000\000\000\000\000\000"
"\000\000\000\000\000\000\000",
19);
syscall(__NR_ioctl, r[0], 0x40045431ul, 0x203b9fdcul);
res = syz_open_pts(r[0], 0);
if (res != -1)
r[1] = res;
*(uint32_t*)0x20fd0ffc = 7;
syscall(__NR_ioctl, r[1], 0x5423ul, 0x20fd0ffcul);
*(uint8_t*)0x200005c0 = 0xfe;
*(uint8_t*)0x200005c1 = 0x80;
*(uint8_t*)0x200005c2 = 0;
*(uint8_t*)0x200005c3 = 0;
*(uint8_t*)0x200005c4 = 0;
*(uint8_t*)0x200005c5 = 0;
*(uint8_t*)0x200005c6 = 0;
*(uint8_t*)0x200005c7 = 0;
*(uint8_t*)0x200005c8 = 0;
*(uint8_t*)0x200005c9 = 0;
*(uint8_t*)0x200005ca = 0;
*(uint8_t*)0x200005cb = 0;
*(uint8_t*)0x200005cc = 0;
*(uint8_t*)0x200005cd = 0;
*(uint8_t*)0x200005ce = 0;
*(uint8_t*)0x200005cf = 0xaa;
*(uint8_t*)0x200005d0 = 0xfe;
*(uint8_t*)0x200005d1 = 0x80;
*(uint8_t*)0x200005d2 = 0;
*(uint8_t*)0x200005d3 = 0;
*(uint8_t*)0x200005d4 = 0;
*(uint8_t*)0x200005d5 = 0;
*(uint8_t*)0x200005d6 = 0;
*(uint8_t*)0x200005d7 = 0;
*(uint8_t*)0x200005d8 = 0;
*(uint8_t*)0x200005d9 = 0;
*(uint8_t*)0x200005da = 0;
*(uint8_t*)0x200005db = 0;
*(uint8_t*)0x200005dc = 0;
*(uint8_t*)0x200005dd = 0;
*(uint8_t*)0x200005de = 0;
*(uint8_t*)0x200005df = 0xbb;
*(uint8_t*)0x200005e0 = 0;
*(uint8_t*)0x200005e1 = 0;
*(uint8_t*)0x200005e2 = 0;
*(uint8_t*)0x200005e3 = 0;
*(uint8_t*)0x200005e4 = 0;
*(uint8_t*)0x200005e5 = 0;
*(uint8_t*)0x200005e6 = 0;
*(uint8_t*)0x200005e7 = 0;
*(uint8_t*)0x200005e8 = 0;
*(uint8_t*)0x200005e9 = 0;
*(uint8_t*)0x200005ea = -1;
*(uint8_t*)0x200005eb = -1;
*(uint8_t*)0x200005ec = 0xac;
*(uint8_t*)0x200005ed = 0x14;
*(uint8_t*)0x200005ee = 0x14;
*(uint8_t*)0x200005ef = 0xbb;
*(uint32_t*)0x200005f0 = 2;
*(uint16_t*)0x200005f4 = 0;
*(uint16_t*)0x200005f6 = 0;
*(uint32_t*)0x200005f8 = 0;
*(uint64_t*)0x20000600 = 0;
*(uint32_t*)0x20000608 = 0;
*(uint32_t*)0x2000060c = 0;
syscall(__NR_ioctl, -1, 0x89a0ul, 0x200005c0ul);
*(uint64_t*)0x200001c0 = 0;
*(uint32_t*)0x200001c8 = 0;
*(uint64_t*)0x200001d0 = 0x20000300;
*(uint64_t*)0x20000300 = 0x20000240;
*(uint32_t*)0x20000240 = 0x34;
*(uint16_t*)0x20000244 = 0x14;
*(uint16_t*)0x20000246 = 0x95b5;
*(uint32_t*)0x20000248 = 0;
*(uint32_t*)0x2000024c = 0;
*(uint8_t*)0x20000250 = 0xa;
*(uint8_t*)0x20000251 = 0;
*(uint8_t*)0x20000252 = 0;
*(uint8_t*)0x20000253 = 0;
*(uint32_t*)0x20000254 = 0;
*(uint16_t*)0x20000258 = 8;
*(uint16_t*)0x2000025a = 8;
*(uint32_t*)0x2000025c = 0xae6b531f;
*(uint16_t*)0x20000260 = 0x14;
*(uint16_t*)0x20000262 = 2;
*(uint8_t*)0x20000264 = 0;
*(uint8_t*)0x20000265 = 0;
*(uint8_t*)0x20000266 = 0;
*(uint8_t*)0x20000267 = 0;
*(uint8_t*)0x20000268 = 0;
*(uint8_t*)0x20000269 = 0;
*(uint8_t*)0x2000026a = 0;
*(uint8_t*)0x2000026b = 0;
*(uint8_t*)0x2000026c = 0;
*(uint8_t*)0x2000026d = 0;
*(uint8_t*)0x2000026e = -1;
*(uint8_t*)0x2000026f = -1;
*(uint32_t*)0x20000270 = htobe32(0);
*(uint64_t*)0x20000308 = 0x34;
*(uint64_t*)0x200001d8 = 1;
*(uint64_t*)0x200001e0 = 0;
*(uint64_t*)0x200001e8 = 0;
*(uint32_t*)0x200001f0 = 0;
syscall(__NR_sendmsg, -1, 0x200001c0ul, 0ul);
syscall(__NR_write, r[0], 0x200000c0ul, 0xffa8ul);
return 0;
}